Management protocol for personnel security

Personnel security management lifecycle and how it relates to the mandatory requirements 

PER002

This protocol explains the personnel security (PERSEC) risk management cycle, the personnel security management cycle and how they relate to the PSR mandatory personnel security requirements.

If you are a chief executive, chief security officer (CSO), senior manager or line manager understanding the PERSEC lifecycle and meeting the requirements will help you:

  • put robust security practices in place to protect your organisation
  • encourage a culture where everyone adopts the right security behaviours.

 

Understand the benefits of robust personnel security

Although people are often said to be an organisation’s greatest asset, they can also be a weakness.

Personnel security protects your people, information, and assets by enabling your organisation to:

  • reduce the risk of harm to your people, customers and partners
  • reduce the risk of your information or assets being lost, damaged, or compromised
  • have greater trust in people who access your official or important information and assets
  • deliver services and operate more effectively.

Insider threats come from our past or present employees, contractors or business partners. They can misuse their inside knowledge or access to harm our people, our customers, our assets or our reputation. Personnel security focusses on reducing the risks associated with insider threats.

An ‘insider threat’, or ‘insider’, is any person who exploits, or intends to exploit, their legitimate access to an organisation’s assets to harm the security of their organisation or New Zealand, either wittingly or unwittingly, through espionage, terrorism, unauthorised disclosure of information or loss or degradation of a resource (or capability).

Common insider acts include:

  • unauthorised disclosure of official, private, or proprietary information
  • fraud or process corruption
  • unauthorised access to ICT systems
  • economic or industrial espionage
  • theft
  • violence or physical harm to others.

Many security breaches are unintentional and result from a lack of awareness or attention to security practices, being distracted or being fooled into unwittingly assisting a third party.

Take a risk-based approach to personnel security

Implementing personnel security measures can be costly and disruptive. Your security measures must be considered in light of your organisation’s security context, potential threats and risk appetite.

A risk-based approach to protective security ensures your personnel security policies, practices, and investments are right for the risks your organisation faces.

Create a security culture

Everyone in the organisation contributes to its security culture. Organisational culture has a direct impact on security. Even with the best security processes and tools your organisation will still be at risk if people have a poor attitude toward security.

You should establish a culture where everyone understands the security risks facing the organisation, adopts the right security behaviours and encourages their colleagues to do the same.

Building an effective personnel security culture means getting everyone on board. Responsibilities for personnel security extend throughout your organisation.

Your chief executive holds overall responsibility for protective security within your organisation.

Your chief security officer is responsible for protective security policy, oversight of protective security practices and evaluation activities that inform ongoing improvements.

Follow the personnel security risk management cycle

The personnel security risk management cycle [PDF, 115 KB] shows how your organisation should identify and manage personnel security risks at an organisational level.

The ongoing cycle comprises three key activities.

  • Assess your personnel security risks
  • Manage your personnel security risks
  • Evaluate how effectively you are managing your personnel security risks.

Assess your personnel security risks

You should identify the potential sources of personnel security risk facing your organisation, the way these might present and the types of threat they pose. Your risk assessment should identify roles, or groups of people, who have greater potential to cause harm due to their access to sensitive, valuable or classified information or assets.

Examples of risks your organisation could face are unintentional leaks, theft of intellectual property, fraud, or criminal gain.

Manage your personnel security risks

Each stage of the personnel lifecycle presents distinct challenges. You should consider personnel security from the time you begin recruitment/procurement, when you hire/engage someone, and through to the moment they leave — possibly even after they leave. Implement appropriate measures to treat personnel security risk in each of these stages.

To manage personnel security risks, you must continually and consistently apply the security measures you have identified to all people working for your organisation.

Evaluate how effectively you are managing your risks

Threats faced by an organisation change over time. This means that you must consider whether your understanding of the sources of personnel security risk is accurate and up to date.

You must also consider whether your security arrangements and practices are still effective and suitable. Identify what works well and what doesn’t, and adjust your arrangements accordingly.

Understand the personnel security lifecycle

The personnel security lifecycle [PDF, 87 KB] shows the distinct issues and security measures you should consider at each stage of a person’s time with your organisation.

Government agencies must meet the four mandatory personnel security requirements:

  • Recruit the right person
  • Ensure their ongoing suitability
  • Manage their departure
  • Manage National Security Clearances.

Together, these requirements help to ensure that access to information and assets is only given to suitable people. As part of good practice we recommend that private sector organisations also adopt the personnel security mandatory requirements.

PERSEC1
Minimise risk with robust recruitment processes

Employing or contracting the right person in the right role is the best way to minimise risk.

You should:

  • understand the personnel security risks associated with each role
  • make your pre-employment/pre-engagement checks appropriate to the risk level of the role.

Use pre-employment checks to confirm the identity, eligibility, and capability of the person you are recruiting or engaging.

Set the right expectations at induction

Your induction process should include security awareness training. Your people need to know from the start what their responsibilities are and how to meet them.

PERSEC2
Monitor changes that can affect suitability

People and their circumstances change over time. People who are suitable at the time of their recruitment may become disillusioned, encounter financial difficulties, develop risky behaviour, or simply become careless with security procedures over time.

Make sure you develop systems and procedures to monitor behaviour or other changes and events that can affect people.

Manage role changes

It is common for people to enter an organisation in one role then move to another role with greater responsibilities and a higher risk profile. Not completing the appropriate checks for the new role because the person is ‘known’ to the organisation increases the risk of problems.

Make sure that all required pre-employment checks and/or on-going suitability checks have been completed to the level required for the new role before they are confirmed in the role.  

PERSEC3
Take a planned approach to departures

When a person is leaving they have a greater opportunity to deliberately or accidentally harm your organisation, and can do so with fewer consequences. For example, when a person is leaving a job, they may feel less bound by security procedures. 

  • Take a planned approach to managing the departure.
  • Remove the person’s permission and ability to access your to electronic resources, documents and physical sites. This step is especially important in cases of forced departure.
  • Make sure all identification cards and access passes are returned (including any tools that allow the remote access to information systems).
  • Make sure that all property belonging to your organisation is returned.
  • Remind the person of any ongoing obligations about your organisation’s people, information or assets. Remind them in particular about intellectual property or official information.

PERSEC4
Manage national security clearances

Anyone who needs to access material protectively marked at CONFIDENTIAL, SECRET, or TOP SECRET must first be granted a national security clearance by your chief executive, or their delegate.

The level of clearance is based on the security classification of information, assets or work locations that a person needs to access to fulfil their duties — not on rank, seniority, or status.

To manage national security clearances, your organisation must:

  • identify, record, and review positions that require access to CONFIDENTIAL, SECRET, and TOP SECRET information, assets or work locations
  • get a recommendation from the NZSIS before granting a national security clearance
  • check that the person has the right level of clearance before you grant them access
  • ensure the ongoing suitability of all clearance holders to continue to hold a national security clearance.

Your organisation must also notify the NZSIS of any:

  • decision to grant or decline a national security clearance 
  • decision resulting in a change to a national security clearance
  • concerns that may affect the suitability of a person to obtain or maintain the appropriate level of clearance
  • clearance holder who leaves your organisation or ends a contract with you.

For information see National security clearances.